CVE-2024-27281

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-27281

4.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

A

n issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed version is rdoc 6.3.4.1. For Ruby 3.1 users, a fixed version is rdoc 6.4.1.1. For Ruby 3.2 users, a fixed version is rdoc 6.5.1.1.

References
Link Resource
https://hackerone.com/reports/1187477
https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/
https://hackerone.com/reports/1187477
https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/
https://lists.fedoraproject.org/archives/list/[email protected]/message/XYDHPHEZI7OQXTQKTDZHGZNPIJH7ZV5N/
https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/
Configurations

No configuration.

History

04 Nov 2025, 18:16

Type Values Removed Values Added
References
  • () https://lists.fedoraproject.org/archives/list/[email protected]/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/ -
  • () https://lists.fedoraproject.org/archives/list/[email protected]/message/XYDHPHEZI7OQXTQKTDZHGZNPIJH7ZV5N/ -

04 Nov 2025, 17:15

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html -

21 Nov 2024, 09:04

Type Values Removed Values Added
References () https://hackerone.com/reports/1187477 - () https://hackerone.com/reports/1187477 -
References () https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/ - () https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281/ -

20 Aug 2024, 14:35

Type Values Removed Values Added
Summary
  • (es) Se descubrió un problema en RDoc 6.3.3 a 6.6.2, tal como se distribuye en Ruby 3.x a 3.3.0. Al analizar .rdoc_options (utilizado para la configuración en RDoc) como un archivo YAML, la inyección de objetos y la ejecución remota de código resultante son posibles porque no hay restricciones en las clases que se pueden restaurar. (Al cargar el caché de documentación, la inyección de objetos y la ejecución remota de código resultante también son posibles si hubiera un caché manipulado). La versión principal fija es 6.6.3.1. Para los usuarios de Ruby 3.0, una versión fija es rdoc 6.3.4.1. Para los usuarios de Ruby 3.1, una versión fija es rdoc 6.4.1.1. Para los usuarios de Ruby 3.2, una versión fija es rdoc 6.5.1.1.
CWE CWE-502
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 4.5

14 May 2024, 15:11

Type Values Removed Values Added
New CVE
Information

Published : 2024-05-14 15:11

Updated : 2025-11-04 18:16

NVD link : CVE-2024-27281

Mitre link : CVE-2024-27281

CVE.ORG link : CVE-2024-27281

JSON object : View

Products Affected

No product.

CWE
CWE-502

Deserialization of Untrusted Data